Balancing Security and Access for increased algorithmic integrity

[Originally published in Sep 2024 here, where an audio version is also available].

When we talk about security in algorithmic systems, it's easy to focus solely on keeping the bad guys out.

But there's another side to this coin that's just as important: making sure the right people can get in.

This article aims to explain how security and access work together for better algorithm integrity.

Why Does This Balance Matter?

Let’s break it down.

Keeping Bad Actors Out

It's obvious why we need to prevent unauthorized access.

Bad actors could:

• Steal Sensitive Data
• Manipulate Algorithms for Their Benefit
• Cause System Failures or Disruptions

These can lead to financial losses, reputational damage, and even legal consequences.

Robust security measures are a must.

Ensuring Necessary Access

Here's where it gets tricky.

While we're busy building digital fortresses, we need to make sure we're not locking out the good guys.

Prioritize access over security, and you're leaving the door open for potential breaches and misuse.

If you lean too far, and don’t give people the access they need, you can’t effectively ensure integrity.?

This creates a paradoxical situation where overzealous security measures actually create, or increase, risk.

Here's why, with reference to the 10 key aspects of algorithm integrity from a previous article:

• Limited Oversight: teams responsible for governing, monitoring and controlling algorithmic systems need access to perform their duties effectively. Without it, they're flying blind. [References to key aspects: 1. Accuracy and Robustness, 3.?Fairness (incl. impact assessments), 9.?Ethics and Training]
• Impaired Decision Making: Leaders and managers need access to make informed decisions about system development and deployment. Limited access can lead to decisions based on incomplete information. [Reference to key aspects: 2. Alignment with Objectives]
• Workarounds and Shadow IT: when users can't access the data they need, they might use unsanctioned tools or copy data to other environments, inadvertently creating new security risks. [References to key aspects: 5. Security, 6. Privacy]
• Reduced Transparency: overly restrictive access can make it difficult to efficiently provide transparency to executives, regulators or other stakeholders. [References to key aspects: 4. Transparency and Explainability, 7. Governance, Accountability and Auditability]
• Missed Early Warnings: small irregularities can be early indicators of larger problems; these subtle signs might go unnoticed until they escalate. [Reference to key aspects: 8. Risk Management]
• Incomplete Audits: auditors need full visibility. [Reference to key aspects: 10. Compliance]

Security and access are complementary

Robust security is crucial, but it must be balanced with the need for oversight and control.

The goal should be to create a secure algorithmic system that still allows for the necessary visibility and access to maintain integrity.

Ensuring that the right people have the right access reduces risk. We want security measures that don't hinder legitimate work, and access that doesn't compromise security.

By getting it right, we enhance algorithmic integrity.

??

If you found this article helpful, feel free to share it with a colleague or friend.

Disclaimer:?The information in this article does not constitute?legal advice.?It may not be relevant to your circumstances.?It may not be appropriate for high-risk use cases (e.g., as outlined in?The Artificial Intelligence Act - Regulation (EU) 2024/1689, a.k.a. the EU AI Act). It was written for consideration in certain algorithmic contexts within banks and insurance companies, may not apply to other contexts, and may not be relevant to other types of organisations.?